Software Release Date: 10/30/2002
Updated Date: 03/05/2007
This release note documents version 4.5 of the BIG-IP software. You can apply the software upgrade to versions 4.1.1 and later. For information about installing the software upgrade, please refer to the instructions below.
This section describes the minimum system requirements for this release.
This release supports these platforms:
If you are unsure which platform you have, look at the sticker on the back of the chassis to find the platform number.
Important: We recommend that you apply the latest PTF after you upgrade to version 4.5 of the BIG-IP software. If you have already upgraded to version 4.5, or you are not sure which version level is installed on your system, you can check the version by typing b version from the command line. For more information about downloading the latest PTF, see SOL167: Downloading software from F5 Networks.
Use the following instructions to apply the upgrade to the BIG-IP software, version 4.1.1 and later. The installation script saves your current configuration.
Warning: Before you install the software, you must have a valid registration key. If you do not have a valid registration key, DO NOT attempt to install the software. If you choose to continue without obtaining a registration key, the BIG-IP system will not be fully functional. If you do not have a registration key, please contact your vendor to obtain one.
Important: If you have a valid license file from a previous version of the BIG-IP software, use the following site to obtain a new license key: http://tech.f5.com/license/license.html.
The latest version of the release note is available at http://tech.f5.com.
Important: If you are upgrading an IP Application Switch or a BIG-IP system that uses a solid state disk (SSD), use the installation instructions here.
Note: If you want to create a CD image of the upgrade, download the bigip45crypto.iso.
When the im script is finished, the BIG-IP unit reboots automatically.
Note: This procedure provides over 90MB of temporary space on /mnt. The partition and the im package files are deleted upon rebooting.
To activate the software, you need a valid license certificate. To gain a license certificate, you need to provide two items to the license server: a registration key and a dossier.
The registration key is a 25-character string. You should have received the key by email. The registration key lets the license server know which F5 products you are entitled to license.
The dossier is obtained from the software, and is an encrypted list of key characteristics used to identify the platform.
You can obtain a license certificate using one of the following methods:
Note: You can open the Configuration utility with Netscape Navigator version 4.7, or Microsoft Internet Explorer version 5.0 or 5.5. The Configuration utility is not supported in Netscape Navigator version 6.0.
Enhanced support for managing SSL connections
This release includes several new features designed to further simplify the administration of SSL connections. These features include extensive web-based screens for centralized key management, and support for certificate revocation lists (CRLs). Another new SSL feature is the ability for an SSL proxy to interoperate with an LDAP database to authorize users based on client certificates. This LDAP database can reside either locally on the BIG-IP system, or remotely on another server on your network. Lastly, you can now limit the number of connections coming into an SSL proxy, for security or load balancing reasons. For more information on managing SSL connections, see the BIG-IP Reference Guide, Chapter 7, SSL Accelerator Proxies.
Easy system account creation
With this release, the BIG-IP system now offers a centralized Setup screen to set the passwords for the three system accounts: root, admin, and support. For the support account, you can also specify whether to allow command line access, Web access, or both. For more information on managing user accounts, see the BIG-IP Reference Guide, Chapter 17, Administering the BIG-IP System.
You can now use the Setup utility to configure a remote LDAP or RADIUS authentication server. With this feature, you no longer need to directly edit configuration files to set up your LDAP or RADIUS authentication server. For more information about configuring remote authentication, see the BIG-IP Reference Guide, Chapter 2, Using the Setup Utility.
Also, this release of the BIG-IP system expands the number of user roles that you can assign to user accounts for the purpose of user authorization. In addition to the standard Full Read/Write, Partial Read/Write, and Read-Only access levels, you can now choose from three additional access levels. These access levels define which of the three interfaces an administrator can use to access the BIG-IP system (the Configuration utility, the command line interface, or the iControl interface). These user authorization roles are stored in the local LDAP database on the BIG-IP system and are designed to operate in concert with centralized LDAP and RADIUS authentication. For more information on managing user accounts, see the BIG-IP Reference Guide, Chapter 17, Administering the BIG-IP System.
Other useful security features in this release are intrusion detection and protection from denial-of-service attacks. This release includes two new features to assist in detecting network intruders--VLAN mirroring and clone pools. By enabling a clone pool, any traffic directed to a pool is automatically sent to a node within a replicated pool. The release also includes two new global variables to define high-water and low-water marks, for the adaptive reaping of connections. For more information VLAN mirroring and clone pools, see the BIG-IP Reference Guide, Chapter 3, Post-Setup Tasks, VLANs, and Chapter 4, Pools.
Universal Inspection Engine The Universal Inspection Engine (UIE) allows you to apply business decisions to applications and web services, and provides granular control for switching, persistence, and application level security. The BIG-IP system version 4.5 has the ability to read all HTTP or TCP content.
Other rule enhancements
In addition to the new rule functions and variables designed for universal content switching, the rules syntax has been further expanded to include two new rule statements, log and accumulate. Furthermore, you can now store your class lists externally instead of within the bigip.conf file. Storing your class lists externally improves performance and allows for incremental updates to those lists. To support this feature, you can store external class lists using either the Configuration utility or the iControl interface. For more information about these new functions, see the BIG-IP Reference Guide, Chapter 5, iRules.
Enhanced support for global variables
A number of new global variables are included in this release, such as variables that define high-water and low-water marks for the adaptive reaping of connections to prevent denial-of-service attacks. Also, the Configuration utility now shows all global variables and presents them in categories, according to function. For more information about these global variables, see the BIG-IP Reference Guide, Appendix A, bigpipe Command Syntax.
RealServer plug-in for UNIX systems
With this release comes support for RealSystem® Server systems running on the UNIX operating system. This feature provides the ability to dynamically load balance and monitor UNIX systems that are running the RealSystem® Server application. Once you have compiled and installed the plug-in, you can set up your pool for dynamic load balancing, and create a health monitor to monitor the traffic load on the RealSystem® Server system. For more information about the RealSystem Server plug-in, see the BIG-IP Reference Guide, Chapter 11, Monitors.
New health monitor features
This release includes a new EAV health monitor, udp, which allows you to check the status of UDP connections. Also, the reverse attribute, which marks a node as down based on a received string, is now available for the https and https_443 monitors. For more information about these monitors, see the BIG-IP Reference Guide, Chapter 11, Monitors.
Other load balancing enhancements
This release includes several new load balancing features, including enhanced administration of load-balanced connections. For example, through the Configuration utility, bigpipe command, or bigapi, you can now dump connections verbosely, or configure a timeout for idle HTTP connections. Also, by writing rule-type expressions within pool definitions, you can cause a pool to send a connection directly to one of its pool members. For more information these features, see the BIG-IP Reference Guide, Chapter 5, iRules and Chapter 4, Pools.
Support for Link Controller
This release of the BIG-IP system includes an add-on Link Controller module for all BIG-IP HA systems. This module includes such features as support for single routers with multiple IP addresses and uplinks, full duplex billing support, and support for multiple outbound router pools. Also included is a significantly enhanced Web user interface, designed to ease basic link-controller configuration steps and provide more detailed statistics information.
All users installing this upgrade are required to obtain a new license. To obtain a new license, follow the instructions for Activating the license.
Important: You must complete the authorization and licensing process before you run the configuration utility to configure the unit. If you do not obtain a license before you run the configuration utility, the system may behave in an unexpected manner.
Read mode classes cannot be changed by the BIG-IP software (CR23259)
The BIG-IP software does not change Read mode classes. This means that classes are not automatically reloaded when you change the underlying file. To reload the class data in the kernel, simply define the class again. The existing data for the class is deleted and the new data is loaded.
Changes to the admin account during an upgrade
When upgrading to BIG-IP version 4.5 from a previous version, the BIG-IP system manages the Configuration utility access level assigned to the admin account by retaining the same access level that was assigned to the account prior to the upgrade. Once the upgrade is completed, we recommend that you promote the access level on this account to CLI + Full Read/Write.
Using certificate revocation lists (CRLs) (CR23468)
If you are using certificate revocation lists (CRLs), it is important to note that CRLs can become outdated. It is common for a CRL to require an update anywhere from every day to every 30 days. If a CRL becomes outdated, the BIG-IP system does not accept any certificates, revoked or valid. It is important to have a plan in place to ensure that updated CRL files are entered on your BIG-IP system as soon as they become available.
To find out when a CRL file is going to need to be updated, enter the following command from the /config/bigconfig/ssl.crl directory:
openssl crl -in <crl name> -text -noout
Configuring remote authentication after upgrade (CR24544)
Use the following procedure to configure remote authentication after an upgrade:
The following items are known issues in the current release.
For the latest known issues for this release, please refer to AskF5 (http://tech.f5.com)
Fan and temperature monitoring with SNMP
SNMP queries for fan speed, CPU temperature, and power supply status are functional for certain platforms. Currently, fan and temperature monitoring is supported only for the following platforms:
For these platforms, automatic periodic monitoring is not automatically enabled. You can enable periodic monitoring by uncommenting the line in /config/crontab which runs system_check every two minutes. However, the system_check script does affect performance. Fan and temperature SNMP monitoring are not supported in the following platforms with this version of the BIG-IP software:
SSH access host restrictions are now configured in /etc/hosts.allow (CR25530)
In previous versions /etc/ssh2/sshd2_config and /etc/sshd_config controlled SSH access. Upgrading to this version ignores previously configured SSH access restrictions configured in /etc/ssh2/sshd2_config and /etc/sshd_config. This upgrade reverts to an SSH access level that allows all hosts to connect. If you require restricted SSH access to certain networks/IP addresses you need to reconfigure these restrictions once the upgrade has been completed. To do this, type the following command to start the Setup utility and then press Enter:
Choose option S (Configure SSH) and set the restrictions you prefer.
The RADIUS port in /etc/services (CR20136)
Previous releases of this software use the RADIUS port 1645 as the default in /etc/services. This release uses the new IANA RADIUS port 1812.
Changing active-active failback values (CR22715)
In active-active configurations, we recommend that you do not change the default failback value of 60 seconds. If you change this value, failback may not work as designed.
Lower connection rate (CR23803)
In this release, BIG-IP platforms, such as the 520 and 2000, equipped with a single processor, are expected to have a maximum new connection rate approximately 10% lower than the version 4.2 release. This has no additional performance impact other than a reduction of the maximum connection rate. This does not affect the general performance of the single processor systems, and has no affect on dual processor systems.
b snat dump verbose (CR3519)
The b snat dump verbose command does not show the target address of the SNAT connection.
Tagged VLAN members as members of an aggregate in another VLAN (CR16353)
The configuration parser does not prevent you from adding tagged VLAN members as members of an aggregate in another VLAN. This configuration is not supported.
Error messages (CR19543)
A timeout message may display when nothing is plugged into the Intel Gig ether card. This message is harmless and does not effect the operation of the BIG-IP system.
Setting active-active mode using the Configuration utility (CR19794)
With network failover enabled, you cannot use the Configuration utility to configure active-active mode. When you have network failover enabled, use the command line interface to set active-active mode.
You must delete a SNAT before you can redefine it (CR19798)
In the Configuration utility, before you can redefine a SNAT, you must delete it.
Link aggregation and STP (CR20268)
When the Tx side of a fiber link goes down, the Rx link does not. This can cause problems when using link aggregation or STP.
Broadcom 582x driver error message (CR20461)
Currently the Broadcom 582x driver does not return an error if the hardware operation times out.
Default gateway pools with SNAT automap (CR20801)
Configuring a default gateway pool with SNAT automat causes packets in a single connection to be sent to multiple routers. In this case errant packets may not be re-SNATed. If you want to configure default gateway pools and SNAT automap, we recommend that you configure a wildcard network virtual server in front of the SNAT. The wildcard virtual server then routes by connection, using the cached node routes.
Header insert (CR21617)
When you specify the header insert attribute for a pool, 128 bytes is the maximum allowable header length. If you exceed this length, the pool is configured without header insertion.
Interface show verbose (CR21625)
When an interface has been added to a VLAN but the BIG-IP unit has not been rebooted, the interface show verbose command indicates that Intel Copper NIC has "No Carrier".
Windows uploads (CR22043)
Delayed-acks may throttle Windows uploads to 40K per second.
Failover when the nCipher card fails (CR22172)
The BIG-IP system does not currently support failover when the nCipher card fails.
Resets (RSTs) from aging out connections can have incorrect sequence numbers (CR22219)
In certain cases, resets (RSTs) from aging out connections can have incorrect sequence numbers. This may cause some connections to hang.
Changing the support user role using the Setup utility (CR22593)
If you want to change the support user role using the Setup utility, you must remove the support user and then re-add the support user with the desired role.
IpInfusion OSPF routing (CR22751)
If you are using the IpInfusion OSPF routing daemon in an active-standby configuration, the OSPF daemon on the standby unit does not participate in the routing process until the standby unit becomes active. If the unit is active and running OSPF when fail-over occurs, the OSPF daemon stops participating in the routing process and routes then timeout according to the configured OSPF intervals.
Partial Read/Write and Read Only users cannot synchronize passwords to other unit (CR22774)
Partial Read/Write and Read Only users can change their passwords, however; these users cannot run configsync to synchronize the changed passwords to the other unit. We recommend these users change their passwords manually on both units.
When you run configsync, you may have to re-login to the target BIG-IP unit.
The ftpd and user authentication (CR22894)
The ftpd only authenticates users that are in /etc/passwd.
Very large configurations and bigtop (CR22982)
Very large configurations, for example 260K with 2500 virtual servers, may slow bigtop down significantly.
Defining default VLANs in the Web-based Setup utility (CR23048)
The Web-based Setup utility does not prevent you from adding the same interface to different VLANs. When you save the configuration, the interface is assigned to the last VLAN to which you added it.
SSL Proxy: Feature to rewrite redirects not compatible with the plain text proxy (CR23059)
Configuring rewrite redirects with a proxy where client-side SSL is disabled (and server-side SSL enabled) is not supported.
Viewing port denial warnings using the Configuration utility (CR23108)
The Illegal Attempts screen has been removed from the Configuration utility in this release. To view port denial warnings that have been logged in the Configuration utility, click Log Files in the navigation pane, and select the BIG-IP Log tab.
Configuration utility: Enable reset on service down and connection rebind features not compatible (CR23202)
Attempting to set the enable reset on service down and connection rebind features on a virtual server returns an error message that states these features are not compatible. However, the Configuration utility creates the virtual server.
The ARP table next hop is not updated if all node pings and health checks are removed (CR23504)
In certain situations, the ARP table next hop is not updated if all node pings and health checks are removed.
ARP replies to the virtual server node (CR23460)
The BIG-IP system does not forward ARP replies to the virtual server node.
bigpipe proxy show (CR23848)
bigpipe proxy show may display current and max connection statistics which exceed the limit. This is because the current connection count includes connections that the proxy has not yet accepted and has already closed, but for which the kernel is holding a connection data structure.
Error message when attempting to delete base monitors (CR24073)
If you attempt to delete the TCP or UDP base monitors, you receive the following inaccurate error message: syntax error, refer to extended help for assistance. This error message should read: Root monitor templates may not be deleted.
Host names that begin with a digit (CR24133)
bigpipe does not recognize host names that start with a digit.
Kernel message: unexpected chip or driver state (CR24149)
If you are passing large amounts of traffic through an aggregated link, and one or all of the connections on the link go down, you may see a kernel message similar to the following:
Error: LinkScan: Unit 1 Port 21: bcm_port_update failed: Unexpected chip or driver state
This message is harmless and has no effect on the operation of the Big-IP system.
memory_reboot_percent and dumptftp combination may lead to delayed recovery (CR24295)
If you surpass the value set for the memory_reboot_percent, and have dumptftp configured, there may be a small delay before a unit can fail-over.
Errant STP message in the BIG-IP system log (CR24300)
A message may be logged that the STP daemon has started on a system where you are not using STP. This message is harmless.
Netmask with a trailing . (CR24323)
If you configure a netmask with a trailing "." for example (255.255.255.0.), you may receive a load error.
Configuration utility: Key ID and certificate ID lengths (CR24372)
The Configuration utility does not warn you if you create a key ID or certificate ID that is over the maximum number of characters allowed. The maximum key ID length allowed is 58 characters. The maximum certificate ID length allowed is 59 characters.
VLAN group in non-opaque mode (CR24409)
When you configure the BIG-IP system to bridge between two VLANs in either transparent or translucent mode, packets that are destined to the same VLAN as they were received on are transmitted back to the segment, causing duplicate packets. To fix this problem, set the bridge mode to opaque, or use a switch instead of a hub.
Creating .ucs file names (CR24425)
You are currently able to create .ucs file names that contain invalid characters. If you attempt to install these files, you receive an invalid character error message, and the .ucs files do not install.
Mismatched certificates prevent archive importing (CR24437)
Keys and certificates that have the same name but are not logically paired (public key does not match private key) prevents the successful import of new archives. These files must be deleted or renamed.
VLAN mirroring is not available for LB, FLB, and CLB products (CR24465)
The command line interface allows you to set up VLAN mirroring for the LB, FLB, and CLB products; however, this feature is not supported on these platforms and VLAN mirroring does not work. If you want to use VLAN mirroring, you must have a license for the HA product, or a Switch Appliance.
Configuring FTP (CR24479)
When you run the Setup utility, the external VLAN has port lockdown enabled by default. If you are configuring FTP, remember that the only VLANs that will be accessible through FTP are VLANs with port lockdown disabled.
Deleting the Default Gateway Pool using the Setup utility (CR24519)
If you define a default gateway pool using the Setup utility, and then define a virtual server or other network objects on the pool, you will not be able to delete the pool using the Setup utility as long as the pool is in use. In order to delete the pool using the Setup utility, you must first remove all IP addresses and network objects associated with the pool.
Upgrade error messages (CR24534)
During upgrade, bigpipe load may display error messages during the first load. These error messages are harmless and do not affect the upgrade process.
globalStatMaxConn SNMP OID (CR24553)
The globalStatMaxConn SNMP OID's description says "Maximum number of active connections allowed." The correct meaning of this OID is "The maximum number of connections this load balancer has serviced at one time."
Invalid BIG-IP e-Commerce Controller config options (CR24566)
When you run config for the BIG-IP e-Commerce Controller, the invalid redundant system option is listed in the menu. Redundant options are not available for the standalone BIG-IP e-Commerce Controller.
Users may be incorrectly logged as the root user.
FTP data connection does not set TOS or QOS (CR24644)
FTP does not currently set the QOS and TOS bits on the data connection.
Apache Tomcat VU#672683 (CR24689)
The BIG-IP system is vulnerable to VU#672683.
Configuration utility: VLAN Group and VLAN Group Properties pages name box (CR24719)
The VLAN Group and VLAN Group Properties pages in the Configuration utility allow you to type 31-character names in the name box. However, the maximum name length supported is 15 characters.
Upgrade error messages (CR24744)
If you upgrade from a BIG-IP 4.2 product with a previously running configuration, after the first time you reboot you may receive error messages. These error messages are harmless and do not effect the operation of the BIG-IP system.
ANIP kernel on a dual-processor machine (CR24758) (CR23640)
Configuring or booting the ANIP kernel on a dual-processor machine that does not have any ANIP-capable (gigabit) interfaces may cause the system to become unstable. If the kernel is not in ANIP mode (see the cpu anip command to determine this), we recommend that you change to the SMP kernel for better utilization of the second processor.
iControl and remote authentication (CR24868)
If an iControl client (such as configsync) connects to the portal with remote authentication enabled and soon afterward the system is changed to use local authentication, subsequent iControl requests into the portal are rejected with the InvalidUser exception. To prevent this, we recommend that you shut down and restart the portal using the following commands:
bigstart shutdown portal
The bigip.conf retains Certificate Map information (CR24769)
In the Configuration utility, if you set up the authorization model to use Certificate Map, and then change the authorization model to just use Certificate, the bigip.conf retains the Certificate Map information. However, the authorization model switches to Certificate without affecting the functionality.
Network failover with gateway failsafe (CR24870)
When using network failover and gateway failsafe, you must use the force active and force standby failover feature
authz user key (CR24880)
If you enter "user" for the authz user key your configuration will not load properly.
Rebooting the controller and mra.config.log.[nn] files in the /var/log directory (CR24922)
When you reboot the BIG-IP system, you may see the following file, mra.config.log.[nn] in the /var/log directory. These files and their output are not relevant to the BIG-IP server appliance, and are, therefore, benign.
Memory exhaustion side-effects (CR24940)
In certain circumstances, proxyd and other user processes may not respond when memory is exhausted.
Switch platforms and STP (CR25113)
Using the halt command to halt the system with Spanning Tree Protocol (STP) enabled and participating in a STP domain may create a bridge loop on the switch platform.
Changes in US and Canada Daylight Saving Time (CR58321)
The Energy Policy Act of 2005, which was passed by the US Congress in August 2005, changed both the start and end dates for Daylight Saving Time in the United States, effective March 2007. Canada is also adopting this change. The resulting changes are not reflected in this version of the product software. To find out more about this issue, refer to SOL6551: F5 Networks software compliance with the Energy Policy Act of 2005.